The document discusses cybersecurity threats and advanced persistent threats (APTs). It provides an overview of the evolution of cyber threats from early computer viruses and malware in the 1970s-1980s to increasingly sophisticated nation-state sponsored APTs. It describes APTs as targeted attacks aimed at data exfiltration that are advanced, persistent, and use complex techniques to maintain access and avoid detection. The document outlines the typical multi-stage exploitation cycle of APTs, from initial reconnaissance and intrusion to establishing backdoors, escalating privileges, and maintaining long-term persistence within the target network to exfiltrate data.
In 2020, people will interact each day with more than 70 devices connected to
Internet. Nowadays we interact with less than 10 devices connected. The
M2M phenomenom will boots Cloud and Internet users and bandwidth use.
From 1 billion users today to 3 billion devices connected in 5 years
The Certified Ethical Hacker (CEH) program is the core of the most desired information security training system any information security professional will ever want to be in.
Oh... that's ransomware and... look behind you a three-headed MonkeyStefano Maccaglia
A funny presentation me and Marco Faggian held for ISACA seminar in November 2020 related to our investigation of some Ransomware cases... stay tuned... oh... look behind you a three-headed monkey!...
Cyber attacks are on the rise, and organizations in every industry are at risk. Understand the threats, and how you can evaluate, assess, and ultimately take steps to protect your agency.
This volume of the Microsoft Security Intelligence Report focuses on the first and second quarters of 2016, with trend data for the last several quarters presented on a quarterly basis. Because vulnerability disclosures can be highly inconsistent from quarter to quarter and often occur disproportionately at certain times of the year, statistics about vulnerability disclosures are presented on a half-yearly basis
In 2020, people will interact each day with more than 70 devices connected to
Internet. Nowadays we interact with less than 10 devices connected. The
M2M phenomenom will boots Cloud and Internet users and bandwidth use.
From 1 billion users today to 3 billion devices connected in 5 years
The Certified Ethical Hacker (CEH) program is the core of the most desired information security training system any information security professional will ever want to be in.
Oh... that's ransomware and... look behind you a three-headed MonkeyStefano Maccaglia
A funny presentation me and Marco Faggian held for ISACA seminar in November 2020 related to our investigation of some Ransomware cases... stay tuned... oh... look behind you a three-headed monkey!...
Cyber attacks are on the rise, and organizations in every industry are at risk. Understand the threats, and how you can evaluate, assess, and ultimately take steps to protect your agency.
This volume of the Microsoft Security Intelligence Report focuses on the first and second quarters of 2016, with trend data for the last several quarters presented on a quarterly basis. Because vulnerability disclosures can be highly inconsistent from quarter to quarter and often occur disproportionately at certain times of the year, statistics about vulnerability disclosures are presented on a half-yearly basis
The Emergency Operations Center (EOC) is the nerve center for a community's response to a disaster. This paper discusses the technology infrastructure that we recommend for EOCs to support rapidly emerging crisis situations and respond to communities in a more effective, agile way.
La sécurité n’est plus un add-on au système d’information, mais doit s’intégrer à tous les niveaux, depuis son architecture jusqu’à la résolution d’incidents, en passant par l’exploitation au quotidien des centres de données. Dans un contexte de mobilité accrue et en considérant l’émergence d’un modèle d’informatique à la demande, la sécurité repose autant sur la prévention technique que sur l’éducation comportementale des utilisateurs et sur la capacité des systèmes à résister aux attaques Session présentée par le partenaire : DELL.
Speakers : Florian Malecki (DELL)
Kaspersky Lab, one of the world’s fastest-growing cybersecurity companies and the largest that is privately-owned, presents a short story about the company - its Values, Business, Solutions, i.e. what we think and strive for in our business, how we develop our technologies and solutions to protect our customers and people around the globe against cyberthreats, as well as the results we've managed to achieve.
All information, data, and material contained, presented, or provided on is for educational purposes only.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners.
It is not to be construed or intended as providing legal advice.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only.
17 U.S. Code § 107 - Limitations on exclusive rights: Fair use
Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.
Cyber Security Professionals Viewed via Supply Chainaletarw
This research examines the issue of supply and demand for cybersecurity professionals to determine how to optimize the output of cybersecurity professionals through a supply chain. It was found that progress is impeded by the lack of a clearly defined and standardized definition of a cybersecurity worker and their associated knowledge, skills, and abilities. There is a known shortage of cybersecurity professionals that is affecting the ability of the United States to fulfil the mandate of President Obama who declared that the protection of our digital infrastructure is a national security priority. The problem with this declaration is that a literature review confirms there is no standard definition of a cybersecurity worker, associated skills, or educational requirements. The cybersecurity workforce to which we speak in this report consists of those who self-identify as cyber or security specialists as well as those who build and maintain the nation’s critical infrastructure. Considering the criticality of the national infrastructure, it is time for the US to take immediate steps to coordinate the development of the cybersecurity field and its associated workforce supply chain.
This paper from Cisco, the Naval Postgraduate School and Carnegie-Mellon University discusses the evolution of Hastily Formed Networks and how these emergency networks have been deployed in humanitarian emergencies such as the 2010 Haiti Earthquake.
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...Inno Eroraha [NetSecurity]
"Man and Machine: Forming a Perfect Union to Mature Security Programs" is a Keynote Address given by Inno Eroraha (NetSecurity) at Global Cyber Security in Healthcare & Pharma Summit in London, UK on 2/6/2020. The presentation highlights the following:
- Securing the enterprise is like protecting the human body
- Complement Penetration Testing with Compromise Assessment and/or Threat Hunting
- Be situationally aware and avoid being blinded by adversarial activities
- Compliance IS NOT Security
- Know ALL your assets and risks faced by each
- Establish a Data Breach Response Capability now
- Create a Matured Security Program and measure success frequently
- Leverage machines and automation to mature your Security Program
- And more
Presentation by Luc de Graeve at the Gordon institute of business science in 2001.
This presentation is about security in e-commerce and is aimed at making people aware of what hackers do, how they do it and the financial implications of their actions. The presentation begins with a few examples of defaced websites and ends with a discussion on risk and assessment.
Protect Yourself from Cyber Attacks Through Proper Third-Party Risk ManagementDevOps.com
Cyber attacks from nation-state actors and their proxies are on the rise. Many of these attackers seek a broader scale to do more damage than simply defacing a website with embarrassing propaganda or by causing a temporary internet outage with a DDOS attack. These hackers often have significant backing and resources from their nation-state sponsors, officially or unofficially.
Increasingly, they are targeting key infrastructures such as power utilities, financial networks, hospitals, healthcare organizations, and state and local governments. A popular tactic is to come in through vendors or managed service providers where they can leverage one successful hack to access dozens of entities. This makes proper vendor and third-party risk management more important than ever.
In this webinar, “Protect Yourself from Cyber Attacks Through Proper Third-Party Risk Management” we will discuss the threats, methods and attack vectors that hackers are using, with recent examples followed by best practice areas to focus on in order to secure your organization from these types of cyberattacks.
Juan Miguel Velasco López Urda, Seguridad Informática. CLOUD COMPUTING,
Autenticación y Gestión de Identidades, Protección del Dato, Protección de Endpoint, Threat Protection, Auditoría, Consultoría, Asesoramiento Personalizado, Formación
The Emergency Operations Center (EOC) is the nerve center for a community's response to a disaster. This paper discusses the technology infrastructure that we recommend for EOCs to support rapidly emerging crisis situations and respond to communities in a more effective, agile way.
La sécurité n’est plus un add-on au système d’information, mais doit s’intégrer à tous les niveaux, depuis son architecture jusqu’à la résolution d’incidents, en passant par l’exploitation au quotidien des centres de données. Dans un contexte de mobilité accrue et en considérant l’émergence d’un modèle d’informatique à la demande, la sécurité repose autant sur la prévention technique que sur l’éducation comportementale des utilisateurs et sur la capacité des systèmes à résister aux attaques Session présentée par le partenaire : DELL.
Speakers : Florian Malecki (DELL)
Kaspersky Lab, one of the world’s fastest-growing cybersecurity companies and the largest that is privately-owned, presents a short story about the company - its Values, Business, Solutions, i.e. what we think and strive for in our business, how we develop our technologies and solutions to protect our customers and people around the globe against cyberthreats, as well as the results we've managed to achieve.
All information, data, and material contained, presented, or provided on is for educational purposes only.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners.
It is not to be construed or intended as providing legal advice.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only.
17 U.S. Code § 107 - Limitations on exclusive rights: Fair use
Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.
Cyber Security Professionals Viewed via Supply Chainaletarw
This research examines the issue of supply and demand for cybersecurity professionals to determine how to optimize the output of cybersecurity professionals through a supply chain. It was found that progress is impeded by the lack of a clearly defined and standardized definition of a cybersecurity worker and their associated knowledge, skills, and abilities. There is a known shortage of cybersecurity professionals that is affecting the ability of the United States to fulfil the mandate of President Obama who declared that the protection of our digital infrastructure is a national security priority. The problem with this declaration is that a literature review confirms there is no standard definition of a cybersecurity worker, associated skills, or educational requirements. The cybersecurity workforce to which we speak in this report consists of those who self-identify as cyber or security specialists as well as those who build and maintain the nation’s critical infrastructure. Considering the criticality of the national infrastructure, it is time for the US to take immediate steps to coordinate the development of the cybersecurity field and its associated workforce supply chain.
This paper from Cisco, the Naval Postgraduate School and Carnegie-Mellon University discusses the evolution of Hastily Formed Networks and how these emergency networks have been deployed in humanitarian emergencies such as the 2010 Haiti Earthquake.
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...Inno Eroraha [NetSecurity]
"Man and Machine: Forming a Perfect Union to Mature Security Programs" is a Keynote Address given by Inno Eroraha (NetSecurity) at Global Cyber Security in Healthcare & Pharma Summit in London, UK on 2/6/2020. The presentation highlights the following:
- Securing the enterprise is like protecting the human body
- Complement Penetration Testing with Compromise Assessment and/or Threat Hunting
- Be situationally aware and avoid being blinded by adversarial activities
- Compliance IS NOT Security
- Know ALL your assets and risks faced by each
- Establish a Data Breach Response Capability now
- Create a Matured Security Program and measure success frequently
- Leverage machines and automation to mature your Security Program
- And more
Presentation by Luc de Graeve at the Gordon institute of business science in 2001.
This presentation is about security in e-commerce and is aimed at making people aware of what hackers do, how they do it and the financial implications of their actions. The presentation begins with a few examples of defaced websites and ends with a discussion on risk and assessment.
Protect Yourself from Cyber Attacks Through Proper Third-Party Risk ManagementDevOps.com
Cyber attacks from nation-state actors and their proxies are on the rise. Many of these attackers seek a broader scale to do more damage than simply defacing a website with embarrassing propaganda or by causing a temporary internet outage with a DDOS attack. These hackers often have significant backing and resources from their nation-state sponsors, officially or unofficially.
Increasingly, they are targeting key infrastructures such as power utilities, financial networks, hospitals, healthcare organizations, and state and local governments. A popular tactic is to come in through vendors or managed service providers where they can leverage one successful hack to access dozens of entities. This makes proper vendor and third-party risk management more important than ever.
In this webinar, “Protect Yourself from Cyber Attacks Through Proper Third-Party Risk Management” we will discuss the threats, methods and attack vectors that hackers are using, with recent examples followed by best practice areas to focus on in order to secure your organization from these types of cyberattacks.
Juan Miguel Velasco López Urda, Seguridad Informática. CLOUD COMPUTING,
Autenticación y Gestión de Identidades, Protección del Dato, Protección de Endpoint, Threat Protection, Auditoría, Consultoría, Asesoramiento Personalizado, Formación
In 2020, people will interact each day with more than 70 devices connected to
Internet. Nowadays we interact with less than 10 devices connected. The
M2M phenomenom will boots Cloud and Internet users and bandwidth use.
From 1 billion users today to 3 billion devices connected in 5 years
Introduction to the Current Threat LandscapeMelbourne IT
Do you know what threats are lurking in the shadows? Have you been compromised without even knowing about it? Most companies don't even know if their business has been subjected to attacks and even worse, may have lost sensitive data without knowing about it until it’s too late.
The latest vulnerabilities highlight the extent and depth that hackers are adopting to steal your content or destroy trust in your brand. Our industry experts joining us for the presentation have a wealth of experience in robust security strategies and will be discussing the current online threat landscape, the most prominent approaches to security breaches and what you need to consider to protect your online presence from any potential malicious attacks.
About Melbourne IT:
Melbourne IT Enterprise Services designs, builds and operates custom cloud solutions for Australia’s leading enterprises. Its expert staff help enterprises solve business challenges and build cultures that enable organisations to use technology investments efficiently to improve long-term value. With more than 15 years’ experience in delivering managed outcomes to Australian enterprises, Melbourne IT has been long associated with enabling success. Its certified cloud, consulting, and security experts repeatedly deliver results. Many of the brands you already know and trust rely on Melbourne IT. For more information, visit www.melbourneitenterprise.com.au
If last year’s presentation on the SANS 20 felt like more of a rant than a practical application of elite IT knowledge, Ian Trump’s technical track presentation is going to unleash GFI MAX as a security dashboard like nothing you have seen.
The Octopi team has leveraged network scanning and event log checks, and Ian takes the GFI MAX dashboard to a whole new level. MSP’s can take his code and research and immediately apply it to their practices to secure their customers from cyber threats. Dehydrated from the summer information security conferences, Ian will give you the threat intel you need to be on the lookout for in the months ahead.
Besides all the GFI MAX goodness, being part of a live demo to find APT, and seeing Ian link Human Rights, Market Research, Ice, Law, Iggy Azalea, War Ferrets, Christian Studies, Event Auditing, Security Tools, Taylor Swift and How we can all fix the cyber problem into one epic presentation – well, you don’t want to miss this.
Cyber Security Management in a Highly Innovative WorldSafeNet
Cyber attacks are reaching pandemic levels. State-sponsored groups and organized crime are successfully stealing valuable intellectual property—including critical infrastructure and operational readiness information, businesses’ and consumers’ financial data—often without anyone realizing the attack has occurred!
But preparedness cannot be delegated solely to the IT department. The involvement of the entire enterprise, armed with an understanding of the highly dynamic landscape, is vital for warding off potential threats.
Author: David Etue, VP of CorpDev Strategy, SafeNet
Watch the webcast on demand: https://www.brighttalk.com/webcast/6319/75109
54 Chapter 1 • The Threat EnvironmentFIGURE 1-18 Cyberwar .docxalinainglis
54 Chapter 1 • The Threat Environment
FIGURE 1-18 Cyberwar and Cyberterror (Study Figure)
Nightmare Threats
Potential for far greater attacks than those caused by criminal attackers
Cyberwar
Computer-based attacks by national governments
Espionage
Cyber-only attacks to damage financial and communication infrastructure
To augment conventional physical attacks
Attack IT infrastructure along with physical attacks (or in place of physical attacks)
Paralyze enemy command and control
Engage in propaganda attacks
Cyberterror
Attacks by terrorists or terrorist groups
May attack IT resources directly
Use the Internet for recruitment and coordination
Use the Internet to augment physical attacks
Disrupt communication among first responders
Use cyberattacks to increase terror in physical attacks
Turn to computer crime to fund their attacks
espionage.87 Cyber espionage from China has been a serious problem since 1999.88
The Chinese government has been involved in, or sponsored, attacks aimed at the State
Department, Commerce Department, Senators, Congressmen, and US military labs.89
Cyberwar attacks can be launched without engaging in physical hostilities and still do
tremendous damage. Countries can use cyberwar attacks to do massive damage to one
another’s financial infrastructures, to disrupt one another’s communication infrastructures,
and to damage the country’s IT infrastructure all as precursors to actual physical hostilities.
Cyberterror
Another nightmare scenario is cyberterror, in which the attacker is a terrorist or group of
terrorists.90 Of course, cyberterrorists can attack information technology resources directly.
They can damage a country’s financial, communication, and utilities infrastructure.91
87 Dawn S. Onley and Patience Wait, “Red Storm Rising,” GCN.com, August 21, 2006. Keith Epstein, “China
Stealing U.S. Computer Data, Says Commission,” Business Week, November 21, 2008. http://www.businessweek.
com/bwdaily/dnflash/content/nov2008/db20081121_440892.htm.
88 Daniel Verton and L. Scott Tillett, “DOD Confirms Cyberattack ‘Something New’,” Cnn.com, March 6, 1999.
89 Josh Rogin, “The Top 10 Chinese Cyber Attacks (that we know of),” ForeignPolicy.com, January 22, 2010.
90 Although organized terrorist groups are very serious threats, a related group of attackers is somewhat dan-
gerous. These are hacktivists, who attack based on political beliefs. During tense periods between the United
States and China, for instance, hacktivists on both sides have attacked the IT resources of the other country.
91 In 2008, the CIA revealed that attacks over the Internet had cut off electrical power in several cities. Robert
McMillan, PC World, January 19, 2008. http://www.pcworld.com/article/id,141564/article.htm?tk=nl_dnxnws.
Chapter 1 • The Threat Environment 55
Most commonly, cyberterrorists use the Internet as a recruitment tool through
websites and to coordinate their activities.92 They can also use cyberterror in conjunc-
tion with .
UN session about modern ICT threat landscape.
The session was aimed to introduce recent threats targeting UN agencies and some potential recommendations to improve detection, investigation and understanding of these threats and their goals.
Combating Cyber Security Using Artificial IntelligenceInderjeet Singh
Cyber Security & Data Protection India Summit 2018 aims to convene the best minds in Cybersecurity under one roof to create an interactive milieu for exchange of knowledge and ideas. The event will endeavour to address the emerging and continuing threats to Cybersecurity and its changing landscape, as well as respond to increasing risk of security breaches and security governance, application security, cloud based security, Network, Mobile and endpoint security and other cyber risks in the India and abroad.
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...Rishi Singh
Presentation on the 2015-2016 State of Cybersecurity and Third Party Vendor Risk Management, presented by Matt Pascussi and Rishi Singh.
This presentation was sponsored by TekSystems.
Palestra do evento "Cybersecurity: a nova era em resposta a incidentes e auditoria de dados"
Sam Maccherola - VP and General Manager Public Sector Guidance Software Inc.
Brasília, 04 de agosto de 2010
Oil and Gas iQ’s Cyber Security for Oil and Gas event will bring together relevant stakeholders to discuss the most pressing cyber security issues facing the oil and gas sector. Presentations will examine threat trends, identify immediate and long-term needs, and reveal up-and-coming technologies for use in evolving threat environments. Security managers, IT strategy implementers, and industry partners will gather in Houston, TX to network, share best practices and explore potential paths to mitigate the threat of energy-focused attacks from cyber adversaries. For more information visit http://bit.ly/1cwasCO
The rise of a generation of new hackers has propelled a boom in successful cyberattacks and data breaches over the last decade. This generation of "modern adversaries" has caused billions of dollars in damages in the last few years, and both the pace and danger of their attacks continue to grow.
This presentation analyzes modern hacker adversaries: who are they, how are they circumventing traditional security systems, and what can the information security industry do to detect and stop these new threats.
3. Major Operating Locations Melbourne United States Alaska Armenia Austria Canada Chile China Czech Republic Denmark Egypt Estonia Germany Hungary Ireland Japan Kazakhstan Latvia Malaysia Mongolia North Sea (Dutch) Norway Netherlands Scotland Singapore Slovakia South Africa Spain Taiwan Thailand United Kingdom Era Customers Australia Linz, Austria Pardubice, Czech Republic Paris, France Cologne, Germany Stuttgart, Germany Oxford, UK Fairfax, VA (HQ) Arlington, VA Alexandria, VA ---------------------------- Falls Church, VA Frederick, MD Reston, VA ------------------------ McLean, VA Vienna, VA ------------------------ Rockville, MD Washington, DC ------------------------ Egg Harbor Township, NJ Ft Monmouth, NJ Mt Arlington, NJ Shrewsbury, NJ Albuquerque, NM Las Vegas, NV New York, NY Cincinnati, OH Dayton, OH Hatboro, PA Sierra Vista, AZ Newport Beach, CA Sacramento, CA San Diego, CA Colorado Springs, CO Glastonbury, CT Ft Walton Beach, FL Atlanta, GA Warner Robins, GA Fairview Heights, IL Indianapolis, IN Louisville, KY Boston, MA Baltimore, MD Columbia, MD Frederick, MD Landover, MD Pax River, MD St Louis, MI Durham, NC Research Triangle Park, NC Providence, RI Charleston, SC Austin, TX San Antonio, TX Chesapeake, VA Newport News, VA Seattle, WA Milwaukee, WI Morgantown, WV North America SRA Operating Locations Europe
8. Significant Work. Extraordinary People. Inspiring Excellence. SRA. Nation States Commercial Companies Organized Crime Syndicates Terrorist Organizations Who are we trying to catch?
9. Evolution of the Cyber Threat Significant Work. Extraordinary People. Inspiring Excellence. SRA. 1966 1971 1974 1981 1986 1989 1993 1995 1996 1999 2000 2002 2004 2005 Cyber threats are becoming extremely sophisticated but due to a lack of diligence by targeted organizations adversaries are still successful using low tech attacks Internet was designed for information sharing and collaboration; security was a design consideration but wasn’t considered relevant by the users. 1987 1988 2006 2007 2008 2009 2010 ‘ Virdem’ first to add code to executables .com to replicate themselves, Chaos Computer Club 1986 ‘ Morris worm’ first to attack buffer overflow vulnerability 1988 ‘ Cascade’ first self-encrypting virus 1987 ‘ Elk Clone’ first large scale virus Apple II 1981 ‘ Wibbit’ first self-replicating Denial of Service 1974 “ Theory of Self-producing Automata” John Von Neuman 1966 ‘ Catch me if you can’ DEC, first malware via network connection (ARPANET) 1971 ‘ Animal’ first Trojan , UNIVAC 1974 ‘ Freddy Kruger’ first virus to be delivered via BBS/shareware 1993 ‘ Pakistani Flu’ first IBM compatible virus 1986 ‘ Concept’ first to use MS Word 1995 ‘ Bandook’ First to hijack PC, botnet 2005 ‘ I Love You’, first to infect via email , $10B loss, attacked Registry 2000 ‘ Ply’ polymorphic, built-in mutation engine 1996 ‘ Ghostball’ firs t multi-part virus infection 1989 ‘ CIH’, first to infect COTS , attacked BIOS 1999 ‘ Vundo’, first to infect via pop-ups 2004 ‘ Nyiem’, mass mailing used to disable security 2006 ‘ Storm botnet’ , injection via video download 2007 ‘ Rustock’ , first root kit virus 2008 ‘ Stuxnet’, PLC/SCADA control systems 2010 ‘ Bohmini, Koobface, Conficker’ , Adobe, Facebook, & MS server 2009 ‘ Santy’, first web-worm using Google 2004 ‘ Beast’ MS Windows Backdoor allowed remote access 2002
10. Computer Networks - Our Achilles Heel Significant Work. Extraordinary People. Inspiring Excellence. SRA. The world depends on computer networks for national security (military and economic) and safety… and yet the networks are fundamentally flawed across all architectural layers An Achilles’ heel is a deadly weakness in spite of overall strength , that can actually or potentially lead to downfall
11.
12. Defense in Depth Significant Work. Extraordinary People. Inspiring Excellence. SRA. NAS Information System Security (ISS) Enterprise Architecture (EA)
19. Significant Work. Extraordinary People. Inspiring Excellence. SRA. Step 0: Attacker Places Content on Trusted Site The attacker begins by placing content on a trusted third-party website, such as a social networking, blogging, photo sharing, or video sharing website, or any other web server that hosts content posted by public users. The attacker's content includes exploitation code for unpatched client-side software. APT Example – Step 0 Source: SANS
20. Significant Work. Extraordinary People. Inspiring Excellence. SRA. Step 1: Client-Side Exploitation A user surfs the Internet from a Windows machine that is running an unpatched client-side program, such as a media player (e.g., iTunes, etc.), document display program (e.g., Acrobat Reader), or a MS office app (e.g., Word, etc.). Upon receiving the attacker's content from the site, the victim user's browser invokes the vulnerable client-side program passing it the attacker's exploit code. This exploit code allows the attacker to install or execute programs of the attacker's choosing on the victim machine, using the privileges of the user who ran the browser. The attack is partially mitigated because this victim user does not have administrator credentials on this system. Still, the attacker can run programs with those limited user privileges. APT Example – Step 1 Source: SANS
21. Significant Work. Extraordinary People. Inspiring Excellence. SRA. Step 2: Establish Reverse Shell Backdoor Using HTTPS The attacker's exploit code installs a reverse shell backdoor program on the victim machine. This program gives the attacker command shell access of the victim machine, communicating between this system and the attacker using outbound HTTPS access from victim to attacker. The backdoor traffic therefore appears to be regular encrypted outbound web traffic as far as the enterprise firewall and network is concerned. APT Example – Step 2 Source: SANS
22. Significant Work. Extraordinary People. Inspiring Excellence. SRA. Steps 3: Dump Hashes and Use Pass-the-Hash Attack to Pivot The attacker uses shell access of the initial victim system to load a local privilege escalation exploit program onto the victim machine. This program allows the attacker to jump from the limited privilege user account to full system privileges on this machine. The attacker now dumps the password hashes for all accounts on this local machine, including a local administrator account on the system. APT Example – Step 3 Source: SANS
23. Significant Work. Extraordinary People. Inspiring Excellence. SRA. Step 4 Move Laterally and Escalate Permissions Instead of cracking the local administrator password, the attacker uses a Windows pass-the-hash program to authenticate to another Windows machine on the enterprise internal network, a fully patched client system on which this same victim user has full administrative privileges. Using NTLMv1 or NTLMv2, Windows machines authenticate network access for the Server Message Block (SMB) protocol based on user hashes and not the passwords themselves, allowing the attacker to get access to the file system or run programs on the fully patched system with local administrator privileges. Attacker now dumps the password hashes for all local accounts on this fully patched Windows machine. APT Example – Step 4 Source: SANS
24. Significant Work. Extraordinary People. Inspiring Excellence. SRA. Step 5: Pass the Hash to Compromise Domain Controller In Step 5, the attacker uses a password hash from a local account on the fully patched Windows client to access the domain controller system, again using a pass-the-hash attack to gain shell access on the domain controller. Because the password for the local administrator account is identical to the password for a domain administrator account, the password hashes for the two accounts are identical. Therefore, the attacker can access the domain controller with full domain administrator privileges, giving the attacker complete control over all other accounts and machines in that domain. APT Example – Step 5 Source: SANS
25. Significant Work. Extraordinary People. Inspiring Excellence. SRA. Steps 6 and 7: Exfiltration In Step 6, with full domain administrator privileges, the attacker now compromises a server machine that stores secrets for the organization. In Step 7, the attacker exfiltrates this sensitive information, consisting of over 200 Megabytes of data. The attacker pushes this data out to the Internet from the server, again using HTTPS to encrypt the information, minimizing the chance of it being detected APT Example – Steps 6 & 7 Source: SANS
53. CIP Full Spectrum Capabilities Continuity of Operations /Government Planning Interdependencies Analysis Regional Resiliency Analysis Coordination with State, Local, Tribal and Territorial Governments SRA provides a tailored, scalable (from global to asset specific) framework for all-hazards infrastructure risk management. Prevention Response Recovery Protective Measures Planning Security Awareness Vulnerability/Consequence Assessments Threat Analysis Pandemic Preparedness Table Top and Functional Exercises Surge and Incident Management Support Fusion and Emergency Operations Centers Integration Credentialing/Access Policy Analysis SRA Infrastructure Protection and Resilience Offerings Public/Private Partnership Creation and Coordination Risk Assessment and Analysis Policy Analysis Communication, Training and Outreach Metrics Development and Analysis Information Sharing Environment Integration Preparedness Preparedness Preparedness Preparedness
56. What is One View Analyst? SOLUTIONS One View Analyst is a comprehensive knowledge management system that gathers complex data to uncover vital knowledge. “ A software solution for intelligence and law enforcement agencies” Developed for large-scale data collection and data mining, One View Analyst fully supports the five steps of the intelligence life cycle: – Searching – Collecting – Organizing – Analyzing – Reporting “ SMARTER TOOLS”
57.
58.
Editor's Notes
Need the organizational analysis as well as the technical… group modeling, SRA strength
SRA Today (this was deleted from the top right and was covering the SRA logo).
Only a fraction of the types of attacks, the point is that the vulnerablitiies are at every level and the complexity of the computer architectures means there will always be new vulnerabilities to be discovered… if we continue to play defense only we will be in a perpetual wac a mole environment